slides

Dan Fleck
CS 469: Security Engineering
Coming up: Meaning of Computer
Security
What is Integrity?
1
These slides are modified with permission from Bill Young (Univ of Texas)
Meaning of Computer Security
Recall that computer security is described as encompassing at
least:
Wait a sec Fleck, what
• Conﬁdentiality: who can read information;
• Integrity: who can write or modify information;
• Availability: what mechanisms ensure that resources are
available when needed.
Coming up: Integrity
about “no write down”
Conﬁdentiality models, like BLP, are useful but obviously limited.
How might we extend our models to handle integrity concerns?
2
Integrity
• Who is authorized to supply or modify data?
• How do you separate and protect assets?
• How do you detect and/or correct erroneous or unauthorized
changes to data?
• Can authorizations change over time?
Unlike conﬁdentiality, a program can damage integrity without
interaction with the external world, simply by computing data
incorrectly.
Coming up: Integrity Thought
Experiment
Integrity is a fuzzier notion than conﬁdentiality and more
context dependent.
3
Integrity Thought Experiment
Your reaction might be diﬀerent depending on whether the publication
is:
1.
2.
3.
The New York Times: Wow! Could there be something to this?
The Wall Street Journal: The vast right wing conspiracy is after
poor Hilary again!
The National Enquirer: They clearly just made it up.
What’s diﬀerent in the three cases? It’s your assessment of the
integrity of the source.
Coming up: Integrity Labels
Suppose you’re checking out at the grocery store and on the adjacent
newsrack you notice the headline: “Hillary Clinton to have Alien’s
Baby.” Do you believe it?
4
Integrity Labels
As we did with confidentiality, we might assign integrity labels:
Gossip overheard on the subway should have lower credibility
than a report from a panel of experts.
• A subject’s label measures the conﬁdence one places in its
ability to produce / handle information.
A certiﬁed application may have more integrity than freeware
downloaded from the Internet.
Coming up: Commercial Concerns
• An object’s label characterizes the degree of “trustworthiness”
of the information contained in that object.
5
Commercial Concerns
Integrity concerns are frequently more important than conﬁdentiality
concerns in commercial settings.
1.
2.
3.
4.
Users will not write their own programs, but use existing
production software.
Programmers develop and test applications on a nonproduction
system, possibly using contrived data. Why not use production?
Moving applications from development to production requires a
special process. This process must be controlled and audited.
Why?
Managers and auditors must have access to system state and
system logs. Why do they care?
Coming up: Some Integrity
Principles
For example, Steve Lipner (Microsoft) describes several commercial
requirements:
6
Some Integrity Principles
Intuitively, integrity relates to how much you trust an entity to produce, protect, or
modify data.
Separation of Duty: different steps in a critical process should be done by different
people.
Separation of Function: different functions should be separated as much as possible
(don’t develop on production box, don’t process real production data
on development box).
Coming up: Lessons
Some integrity principles:
Auditing: recoverability and accountability require maintaining an audit trail.
Often commercial security controls are discretionary, procedural, and decentralized
– you need the info, you get it.. but you don’t have a “level”.
MLS is much more mandatory and centralized.
7
Lessons
• Unlike conﬁdentiality, violations of integrity don’t require
external action.
• In some applications, particularly in the commercial world,
integrity is more important than conﬁdentiality
Coming up: Integrity Labels
• Integrity relates to how much we trust an entity to produce,
protect, or modify data.
8
Integrity Labels
Important proviso: integrity labels are not also clearance labels.
In a system that enforces both integrity and conﬁdentiality,
subjects/objects must have labels for each.
For example, a piece of information may be of dubious validity
but very sensitive, or highly reliable and of little sensitivity.
Can you think of an example?
Coming up: Structure of Integrity
Labels
Suppose we associate integrity labels with subjects and with
objects in our system. The label should reﬂect the
trustworthiness of the subject or reliability of the information in
the object.
9
Structure of Integrity Labels
What do the labels look like? According to one popular model, integrity
labels look like BLP conﬁdentiality labels.
For example, a physics professor might have integrity label:
(Expert: {Physics})
Coming up: Dominates
A hierarchical component gives the level of trustworthiness.
A set of categories provides a list of domains of relevant competence.
meaning that she has a very high degree of credibility in her area of
expertise.
But there’s no particular reason to trust her opinion on a matter of
politics or animal husbandry.
10
Dominates
Assume an ordered set of hierarchical levels: Novice, Student,
Expert. Which of these are such that Label 1 dominates Label 2?
Coming up: The Integrity
Metapolicy
Since integrity labels have the same structure as BLP labels, the
dominates relation applies. It is deﬁned exactly as with
conﬁdentiality.
11
The Integrity Metapolicy
Recall with MLS, the BLP rules were really designed to constrain
the ﬂow of information within the system. We called that the
“metapolicy.” So what is the metapolicy for integrity?
Possible answer: Don’t allow bad information to “taint” good
information. An alternative formulation is: don’t allow
information to “ﬂow up” in integrity
Coming up: The Metapolicy:
Implications
As with MLS, we want to deﬁne an access control policy that
implements the security (integrity) goals of the system. But
what are the rules?
12
The Metapolicy: Implications
1. a low integrity subject writes bad information into a high
integrity object; or
2. a high integrity subject reads bad information from a low
integrity object.
Coming up: Lessons
On analogy with BLP, bad (low integrity) information can ﬂow
into a good (high integrity) object if:
This suggests, by analogy with the BLP rules, a subject shouldn’t
be allowed to “write up” in integrity or to “read down” in
integrity
13
Lessons
• However, conﬁdentiality and integrity are orthogonal issues;
we have to treat them separately.
• A possible integrity metapolicy is this: information should not
ﬂow up in integrity.
Coming up: Biba’s Integrity Models
• We can treat integrity by analogy with conﬁdentiality and
construct labels as we did with BLP.
14
Biba’s Integrity Models
1. The Low Water Mark Integrity Policy
2. The Ring Policy
3. Strict Integrity
All assume that we associate integrity labels with subjects and
objects, analogous to clearance levels in BLP.
Only Strict Integrity had much continuing inﬂuence. It is the one
typically referred to as the “Biba Model” or “Biba Integrity”
Coming up: Strict Integrity Policy
Ken Biba (1977) proposed three diﬀerent integrity access control
policies.
15
Strict Integrity Policy
Simple Integrity Property: Subject s can read object o only if
i(s) ≤ i(o).
Integrity *-Property: Subject s can write to object o only if
i(o) ≤ i(s).
Coming up: Interpreting the Rules
The Strict Integrity Policy is a mandatory integrity access control
policy and is the dual of BLP.
16
Interpreting the Rules
• The Integrity *-Property means that a subject can only write
objects at its own integrity level or below.
This means that a subject’s integrity cannot be tainted by
reading bad (lower integrity) information; a subject cannot taint
more reliable (higher integrity) information by writing into it.
Coming up: Strict Integrity ACM
• Simple Integrity means that a subject can only read objects at
its own integrity level or above.
17
Strict Integrity ACM
Subjects
Level
Objects
Level
Subj1
(H,{A,B,C})
Obj1
(L,{A,B,C})
Subj2
(L,{})
Obj2
(L,{})
Subj3
(L,{A,B})
Obj3
(L,{B,C})
Obj1
Obj2
Obj3
Subj1
W
W
W
Subj2
R
R,W
R
Subj3
R
W
-
Coming up: Combining BLP and
Strict Integrity
Since this is an access control policy, it can be represented as an
access control matrix. Suppose H > L are hierarchical integrity
levels
18
Combining BLP and Strict Integrity
• You’d need conﬁdentiality labels and integrity labels for all
subjects and objects.
• An access is allowed only if allowed by both the BLP rules and
the Biba rules.
Coming up: Lessons
To protect conﬁdentiality and integrity, one could use both BLP
and Biba’s Strict Integrity policy.
What would the corresponding access control matrix look like?
19
Lessons
• Biba’s Strict Integrity Policy is a mandatory integrity access
control policy and is the dual of BLP.
• Since conﬁdentiality and integrity are orthogonal they require
diﬀerent sets of labels and can be enforced separately or
jointly
Coming up: Biba’s Other Models
• It aims to keep information from ﬂowing up in integrity.
20
Biba’s Other Models
• We won’t cover these in detail.
• A subject can read everything, but if they read down their
integrity level is lowered to the object’s level.
• A subject can only write up
• Ring Policy
• A subject can read everything
• A subject can only write up
Coming up: Lipner’s Model
• Low Water Mark Policy
21
Lipner’s Model
User Role
Confidentiality
Integrity
Ordinary Users
(SL, {SP})
(ISL, {IP})
Application Developers
(SL, {SD})
(ISL, {ID})
System programmers
(SL, {SSD})
(ISL, {ID})
System managers/auditors
(AM, {SP,SD,SSD})
(ISL, {IP, ID})
System controllers
(SL, {SP,SD}) and
downgrade
(ISP, {IP, ID})
Coming up: Clark-Wilson Model
• Lipner attempted to combine Biba and BLP to address
commercial concerns
• Each user and object has both confidentiality and integrity
levels. Model is a little unintuitive.
22
Dan Fleck
CS 469: Security Engineering
Coming up: Commercial Concerns
Clark-Wilson Model
23
These slides are modified with permission from Bill Young (Univ of Texas)
Commercial Concerns
David Clark and David Wilson (1987) argued that commercial
security has its own unique concerns and merits a model crafted
for that domain.
The overriding concern is consistency among the various
components of the system state.
Example: In a bank, the funds at the beginning of the day plus
the funds deposited minus the funds withdrawn should equal
funds on hand at the end of the day.
Coming up: Four Basic Concerns
Lipner’s Integrity Matrix Model showed that BLP and Biba’s
Strict Integrity can be adapted to yield a workable commercial
policy. But it’s not necessarily a good fit.
24
Clark and Wilson claimed that the following are four
fundamental concerns of any reasonable commercial integrity
model:
• Authentication: identity of all users must be properly
authenticated.
• Audit: modifications should be logged to record every
program executed and by whom, in a way that cannot be
subverted.
• Well-formed transactions: users manipulate data only in
constrained ways. Only legitimate accesses are allowed.
• Separation of duty: the system associates with each user a
valid set of programs they can run and prevents unauthorized
modifications, thus preserving integrity and consistency with
the real world.
Coming up: Key Concepts
Four Basic Concerns
25
The policy is constructed in terms of the following categories:
• Constrained Data Items: CDIs are the objects whose integrity
is protected
• Unconstrained Data Items: UDIs are objects not covered by
the integrity policy
• Transformation Procedures: TPs are the only procedures
allowed to modify CDIs, or take arbitrary user input and create
new CDIs. Designed to take the system from one valid state to
another.
• Integrity Verification Procedures: IVPs are procedures meant
to verify maintenance of integrity of CDIs.
Coming up: Policy Rules
Key Concepts
26
Policy Rules
We must ensure that these TPs are certified to operate on a particular CDI
• E1: Only certified TPs can manipulate CDIs.
• E2: Users must only access CDIs by means of TPs for which they are
authorized.
This requires keeping track of triples (user, TP, {CDIs})
• C3: Assignment of TPs to users must satisfy separation of duty.
We need authentication to ensure this:
• E3: The identify of each user attempting to execute a TP must be
authenticated.
Coming up: Clark-Wilson (Cont.)
There are two kinds of rules: Certification and Enforcement.
• C1: All IVPs must ensure that CDIs are in a valid state when the IVP is
run.
• C2: All TPs must be certified as integrity-preserving (move from one
valid state to another).
27
Policy Rules (Cont.)
Logging is always good
• C4: The operation of TPs must be logged.
We must stop people from changing TP requirements to subvert the
system:
• E4: Only the certifier of a TP may change the list of entities associated
with that TP
Coming up: Clark-Wilson (Cont.)
Input the system can be UDIs, but we must check them
• C5: TPs executing on UDIs must result in valid CDIs.
27
Ref: http://en.wikipedia.org/wiki/Clark%E2%80%93Wilson_model
Clark-Wilson (Cont.)
Permissions are encoded as a set of triples of the form:
where user is authorized to perform a transformation procedure
TP, on the given set of constrained data items (CDIs).
Coming up: Lessons
(user,TP,{CDI set})
Each triple in the policy must comply with all applicable
certification and enforcement rules.
28
Lessons
• They proposed a set of mechanisms explicitly designed to
address those specific concerns.
• Their policy is quite abstract and must be instantiated with
specific data sets (constrained and unconstrained),
transformation procedures, verification procedures, etc.
Coming up: Role Based Access
• Clark and Wilson identified a set of integrity concerns claimed
to be of particular relevance within commercial environments:
consistency, authentication, audit, etc.
29
Dan Fleck
CS 469: Security Engineering
Coming up: Role-Based Access
Control
Role Based Access
30
These slides are modified with permission from Bill Young (Univ of Texas)
Role-Based Access Control
• Unlike access control policies that assign permissions to
subjects, RBAC associates permissions with
functions/jobs/roles within an organization.
• A role is a collection of job functions. Roles within a bank
might include: president, manager, trainer,
teller, auditor, janitor, etc.
• Used in: Microsoft Active Directory, Microsoft SQL Server,
SELinux, grsecurity, FreeBSD, Solaris, Oracle DBMS, PostgreSQL
8.1, SAP R/3, ISIS Papyrus, FusionForge, Wikipedia…
Coming up: Roles and Transactions
• Role-based access control (RBAC) is a widely used security
framework claimed to be especially appropriate for
commercial settings.
31
Roles and Transactions
Roles have an associated set of transactions, which are the
activities that someone in that role is permitted to carry out.
Coming up: Primary Rules
An individual has:
• a set of authorized roles, which it is allowed to fill at various
times;
• a set of active roles, which it currently occupies.
The set of transactions can be organization specific: open an
account, cash a check, transfer funds, etc.
32
Primary Rules
• Role authorization: A subject’s active role must be an
authorized role for that subject.
• Transaction authorization: A subject can execute a transaction
only if the transaction is authorized for one of the subject’s
active roles.
Note that a subject can have multiple roles. For example, in a
pinch a bank president might also act as a teller.
Coming up: Subsumption and
Separation of Duty
The following are the three primary RBAC rules:
• Role assignment: A subject can execute a transaction only if
the subject has an active role.
33
Subsumption and Separation of Duty
• RBAC can also model separation of duty (one individual cannot
assume both roles r1 and r2).
• Example: if teller is among S’s authorized roles, auditor
cannot be.
Coming up: RBAC Advantages
• One role may subsume another, meaning that anyone having
role rj can do at least the functions of ri .
• Example: a trainer can perform all of the actions of a
trainee, as well as some others.
34
Example
You wanted dynamic
separation of duty didn’t
you?
• Roles
•
•
•
•
• Transactions
Teller
Accounting Supervisor
Personnel Manager
Bank Manager
•
•
•
•
•
Initiate Deposit
Initiate Withdrawal
Correct record
View teller log
Update salary
Match them up!
RBAC is generally more flexible than standard access control
policies:
• RBAC is easy to administer. Everyone in role teller has the
same permissions.
• Permissions are appropriate to the organization—”open an
account” rather than “read a file.”
• RBAC recognizes that a subject often has various functions
within the organization.
• RBAC allows a subject to transition between roles without
having to change identities.
Coming up: Lessons
RBAC Advantages
35
Lessons
• This provides a flexible approach to modeling the dynamism
of commercial organizations.
Coming up:
• RBAC associates access permissions with a job/function/role
rather than with individual subjects.
• RBAC supports well-known security principles:
• Least Privilege
• Separation of duties
36
Coming up: Biba’s Other Policies
Following slides are extra material we aren’t
covering in CS469
37
Dan Fleck
CS 469: Security Engineering
Coming up: Biba’s Integrity Models
Biba’s Other Policies
38
These slides are modified with permission from Bill Young (Univ of Texas)
Biba’s Integrity Models
1. The Low Water Mark Integrity Policy
2. The Ring Policy
3. Strict Integrity
One difference among them is the amount of trust invested in
subjects.
Strict Integrity places very little trust in subjects and constrains
all reads and writes to ensure that information never flows up in
integrity.
Coming up: Biba’s Low Water Mark
Integrity Policy
Ken Biba (1977) proposed three diﬀerent integrity access control
policies.
39
Biba’s Low Water Mark Integrity Policy
• Biba’s Low Water Mark Policy has the following two rules:
• If s reads o, then i′(s) = min(i(s),i(o)), where i′(s) is the subject’s
new integrity level after the read.
• Subject s can write to object o only if i(o) ≤ i(s).
What is the underlying assumption about subjects in this policy?
Are they considered at all trustworthy?
Coming up: Low Water Mark Policy
In general, a water mark policy is one where an attribute
monotonically floats up (high water mark) or down (low water
mark), but may be “reset” at some point.
40
Low Water Mark Policy
• This sort of problem is called label creep and may result in an
overly conservative analysis.
Coming up: Ring Policy
• A potential of the LWM Integrity policy is to monotonically
decrease the integrity level of a subject unnecessarily.
41
Ring Policy
1. Any subject can read any object, regardless of integrity
levels.
2. Subject s can write to object o only if i(o) ≤ i(s).
Coming up: Lessons
This focuses on direct modification and solves some problems of
the LWM Policy.
Does the Ring policy make some assumption about the subject
that the LWM policy does not?
42
Lessons
• The Ring Policy is more trusting of the subject, assuming that a
subject can properly filter the information it receives.
• All of Biba’s three policies preclude a subject from writing up
in integrity.
Coming up: Lipner’s Model
• In Biba’s Low Water Mark policy, a subject’s integrity level falls
if it ever reads low integrity information.
43
Dan Fleck
CS 469: Security Engineering
Coming up: Commercial Integrity
Constraints
Lipner’s Model
44
These slides are modified with permission from Bill Young (Univ of Texas)
Recall that Steve Lipner (Microsoft) described some integrity
concerns you might find in a commercial data processing
environment:
1. Users will not write their own programs, but use existing
production software.
2. Programmers develop and test applications on a
nonproduction system, possibly using contrived data.
3. Moving applications from development to production
requires a special process.
4. This process must be controlled and audited.
5. Managers and auditors must have access to system state
and system logs.
Can we use our existing modeling mechanisms to build a secure
system that addresses such constraints?
Coming up: Lipner’s Integrity
Matrix Model
Commercial Integrity Constraints
45
Lipner’s Integrity Matrix Model
There are two confidentiality levels:
Audit Manager (AM): system audit and management.
System Low (SL): all other processes.
In addition there are three confidentiality categories: Production
(SP): production code and data.
Development (SD): programs under development.
System Development (SSD): system programs in development.
Coming up: Lipner’s Model (Cont.)
Lipner devised his Integrity Matrix Model to handle those
concerns via a combination of BLP and Biba Integrity.
46
In addition to the confidentiality constraints, we also impose
integrity constraints. There are three integrity classification
(highest to lowest):
• System Program (ISP): system software
• Operational (IO): production programs and development
software
• System Low (ISL): user level behavior
• Two integrity categories:
Coming up: Subject Levels
Lipner’s Model (Cont.)
• Development (ID)
• Production (IP)
47
Subject Levels
User Role
Confidentiality
Integrity
Ordinary Users
(SL, {SP})
(ISL, {IP})
Application Developers
(SL, {SD})
(ISL, {ID})
System programmers
(SL, {SSD})
(ISL, {ID})
System managers/auditors
(AM, {SP,SD,SSD})
(ISL, {IP, ID})
System controllers
(SL, {SP,SD}) and
downgrade
(ISP, {IP, ID})
Here downgrade means the ability to move software (objects)
from development to production.
Coming up: Object Levels
Security levels (both confidentiality and integrity) are assigned
to subjects based on their roles in the organization and their
need to know.
48
Object Levels
Object Type
Confidentiality
Integrity
Development code/test data
(SL, {SD})
(ISL, {ID})
Production code
(SL, {SP})
(IO, {IP})
Production data
(SL, {SP})
(ISL, {IP})
Software tools
(SL, 0)
(IO, {ID})
System programs
(SL, 0)
(ISL, {IP,ID})
System programs in modification
(SL, {SSD})
(ISL, {ID})
System and application logs
(AM, {categories}) (ISL, 0)
Coming up: Lipner’s Model
Security levels (both confidentiality and integrity) are assigned
to objects based on who should access them.
49
Some questions:
1. Can an ordinary user utilize a system program? Modify it?
2. Can a system programmer use production software? Modify
it?
3. Why is that special downgrade permission required? Could
it be done with BLP and Biba alone?
The answers:
1. That depends on what “utilize” means. If “utilize” means
“read” then he can read, but not modify.
2. Neither.
3. Moving objects from the development to production world
means changing their labels. There’s no obvious way to do
that in BLP or Biba.
Coming up: Lessons
Lipner’s Model
50
Lessons
• Some modifications relating to tranquility were required to
allow moving applications from the development to
production domains.
• The result is acceptable but not entirely intuitive. Perhaps an
entirely new modeling paradigm would be preferable.
End of presentation
• Lipner developed a hybrid policy using both BLP and Biba’s
Strict Integrity to address commercial integrity concerns.
51